PDA

View Full Version : double quotes crash Phpdig


Rolandks
10-03-2003, 08:18 AM
+ exact words
+ "reference documentation" in quotes

Search for test (http://www.phpdig.net/demo/search.php?template_demo=.%2Ftemplates%2Fphpdig.html&site=0&path=&result_page=search.php&query_string=%22reference+documentation%22&search=Go...&limite=10&option=exact)

mysql_num_rows(): supplied argument is not a valid MySQL result resource on libs/search_function.php in line 164

Possible solution:
In Line 53: quotes and other things which crashes a MySQL-Query must delete.

Iltud
10-04-2003, 01:29 PM
Hi,

I'm not sure, but can this bug cause a critical SQL insertion with a "drop table" query ?

For example if the searched words are like this :

none';drop table keywords;select * from keywords where etc...


Nicolas.

Charter
10-05-2003, 11:52 AM
Hi. Please check and see if you can break it again. Thanks.

Iltud
10-05-2003, 12:22 PM
Edit for Solution :

After chekcing, there is no possibilty to include SQL code. But there is effectivly a bug as Roland said.

All quotes are badly stripped.

At the begining "reference documentation" is transformed in \"reference documentation\".

At line #100 in search_function.php it's then transformed in \reference documentation\ (quotes disappear).

Then, each word, separated by a space, is used in a query. In Roland's case, this give two queries with :

.... AND k.keyword like '\reference%'
and
.... AND k.keyword like 'documentation\%'

Of course, this cause mySql to fail.


IMHO, a solution could be around lines 97-103.



Thanks,
Nicolas.

Charter
10-05-2003, 02:20 PM
Hi. In search_function.php find:

$query_to_parse = trim(ereg_replace(" +"," ",$query_to_parse)); // no more than 1 blank

and before it add:

if (eregi("[^[:alnum:]^ +]+",$query_to_parse)) { $query_to_parse = eregi_replace("[^[:alnum:]^ ]+"," ",$query_to_parse); }

Also, in search_function.php find:

$kconds[$ncrit] .= " AND k.keyword ".$like_operator[$option]." '".$like_start[$option].$regs[2].$like_end[$option]."' ";

and replace with:

$kconds[$ncrit] .= " AND k.keyword ".$like_operator[$option]." '".$like_start[$option].stripslashes($regs[2]).$like_end[$option]."' ";

Of course, remove any "word" wrapping in the above code. ;)

manute
10-15-2003, 06:52 AM
hey, i just wanted to post that bug, but fortunately there's a solution already. great. thanks. :-)

chazter
10-21-2003, 01:40 PM
Thanks for the solution with the double quotes. Much appreciated. It worked for me.:D

barrett_lyon
10-24-2003, 12:40 PM
I have yet to test it, but I am pretty sure anyone can inject mysql queries into the search field. Sorry I have not researched the code on my own, I am hoping someone else has already done that effort.

Also, I have wrote some code that allows regex searches. Is there an easy way to submit a diff?

Charter
10-24-2003, 03:36 PM
Hi. The code eregi_replace("[^[:alnum:]^ ]+"," ",$query_to_parse); takes everything that is not a number, letter, or space and replaces it with a space. This happens before $kconds[$ncrit] is formed, where $kconds[$ncrit] is used to make the mysql query from the search field. Please do examine the code. The more eyes, the better.

The regex code sounds cool. Please post it in the Mod Submissions (http://www.phpdig.net/forumdisplay.php?forumid=24) forum.